HAMMERTOSS is a new piece of malware identified by security specialist FireEye which is spreading via images distributed over Twitter and through code from GitHub.
The malware is believed to have originated in Russia and be part of the toolkit used by an organisation known as APT29. APT stands for advanced persistent threats and is a class of attacks that seek to infiltrate high profile organisations over time in order to gain access to highly sensitive commercial information.
What makes HAMMERTOSS interesting is that it uses a range of obfuscation and monitoring techniques to hide itself from detection. Many of the techniques it uses are already known about, but it is the way that HAMMERTOSS is using them that allows it to stay hidden.
HAMMERTOSS taking advantage of social media and cloud storage
According to the FireEye press release the behaviour of HAMMERTOSS includes:
- Beaconing each day to a different, algorithmically-matched Twitter handle for links and hash tags with commands;
- Following social media links to sites like GitHub that host images with commands hidden within them using a practice known as steganography; and
- Executing commands and extracting data from the victims’ machines before uploading them to cloud storage services.
One of the advantages of using both social media and cloud storage is that many companies are failing to monitor these properly. There has become a tacit acceptance inside many organisations that users should have unrestricted access to social media at work through both the enterprise network and their personal devices. As social media is often seen as a personal not a business use, companies are failing to monitor properly for fear of being accused of spying or intruding on users privacy.
Cloud storage is another difficult area for companies. Users are already exfiltrating large amounts of sensitive data through cloud storage accounts as they believe it is the only way to access data when not in the office. Although security teams are beginning to crack down on what is being sent outside the office, few are willing to block traffic for fear of being accused of preventing users doing their job.
As a result, it should come as no surprise that the techniques being used by HAMMERTOSS are taking advantage of this.
HAMMERTOSS developers showing a high degree of sophistication
According to an early version of the FireEye press release: “While other APT groups try cover their tracks, very few groups show the same discipline to thwart investigators and the ability to adapt to network defenders’ countermeasures.
“For example, APT29 solely uses compromised servers for CnC, counters remediation attempts, and maintains a rapid development cycle for its malware by quickly modifying tools to undermine detection. These aspects make APT29 one of the most capable APT groups that we track.”
There is a detailed report from FireEye which can be downloaded from their website titled “HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group” (registration required). It shows all the stages of an infection from the initial message over Twitter to the downloading of the payload and eventually the execution of commands that steal user data.
For security teams inside enterprises and at Twitter itself, this report makes for disturbing reading. Every sample of HAMMERTOSS will create a new Twitter handle. This means that security teams have to be constantly looking for the handle for that day and adding it to a list of things to block.
Once the handle has been registered it sends out a URL and a hash tag which redirects the user to a webpage from where it will download an image. Using an old spy technique called Steganography, the image has code embedded inside it. The user is also directed, in the background, to GitHub, an Open Source code repository system from where it will download additional payload data.
When the code inside the image and the payload downloaded from GitHub are combined they contain a series of commands and instructions to be executed on the user machine. These commands will run services on the machine and search for data to be sent to a remote site.
One of the big concerns is that HAMMERTOSS does not have its own Command and Control (CnC) servers. Instead it uses compromised web servers. This makes it difficult to identify and take down its infrastructure. For security teams inside enterprises, this also raises the potential that their own servers could become compromised. If that happens, it will be extremely hard to detect an attack as it will use the LAN to distribute itself rather than external servers.
One solution to limiting the spread of HAMMERTOSS could be Threat Intelligence where users post information about attacks as they occur. While there is a risk that APT29 could themselves flood Threat Intelligence sites with false information, the current measures to validate postings should help to identify postings designed to mislead security teams.
This is a very sophisticated attack that is likely to gain major traction very quickly. Services such as Twitter are all about shortened URL’s and images, with users rarely using tools such as LongURL to see whether the site they are being directed to is safe. To date, FireEye has not reported any use of ransomware as a payload for HAMMERTOSS but it would not take much to add that to the list of exist payloads.
It will be interesting to see how quickly the security industry and law enforcement respond to take down the group responsible for HAMMERTOSS. However, if the suggestion by FireEye in their report is correct and they are state sponsored, takedown action is likely to be ineffective. In that case we will need to see how long it takes security vendors and even Twitter to create solutions to detect and prevent the continued spread of this malware.